After the Breach:
How secure and accurate is consumer information held by
ChoicePoint and other data aggregators?

Before the
California Senate Banking, Finance and Insurance Committee
Room 3191, State Capitol

Wednesday, March 30, 2005

VERSION CORRECTED APRIL 5, 2005

Introduction

Chairman Speier, Vice-Chairman Cox, and Members of the Committee, thank
you for extending the opportunity to testify on information aggregators.
My name is Chris Hoofnagle and I am director of the Electronic Privacy
Information Center's (EPIC) West Coast office. Founded in 1994, EPIC
has closely tracked the development of entities we call "commercial
data brokers," companies like Choicepoint, Lexis, and Acxiom that
buy and sell personal information for a variety of purposes.

In June 2001, EPIC filed a series of requests under the Freedom of
Information Act (FOIA) seeking access to government records regarding
Choicepoint and its competitors. Four years and a lawsuit later, we
have some idea about how this company operates, and how commercial data
brokers pose a severe threat to privacy.

In December 2004, EPIC filed a complaint with the Federal Trade Commission,
urging the agency to engage in a serious inquiry on the status of data
brokers' products. EPIC believes that some of these products may be
"consumer reports" for purposes of the Fair Credit Reporting
Act, thus subjecting both the seller and the buyer to regulation under
the Act.

Since that December filing, there have been a series of serious security
breaches involving sensitive personal information in the news. Some
commercial data brokers have sold personal information directly to criminals.
This news has rekindled interest in creating rules for commercial data
brokers to protect personal information.

In my statement today, I will begin by discussing Choicepoint and its
recent data acquisitions. I will then shift to the fuel for Choicepoint's
data—public records. Public records were intended to provide citizens
with a window onto government, but increasingly they serve as a microscope
for businesses and government to profile citizens. Next I will discuss
commercial data brokers' self-regulatory rules. I will conclude with
a framework of suggestions for reform of the commercial data broker
industry.

The Known Extent of Choicepoint's Data Acquisition

Choicepoint became independent from Equifax, a leading U.S. credit
rating agency, in 1997. ChoicePoint obtains 40,000 new public records
daily to insert into its database of more than 19 billion records. Its
business and government services division offers through its "AutoTrackXP"
product identity verification, property records, bankruptcy records,
licenses, liens, judgments, and other records to local, state and federal
law enforcement,[1] including
the Drug Enforcement Administration and the Federal Bureau of Investigation.[2] It also advertises the AutoTrackXP product as a solution for
financial services anti-fraud and anti-money laundering compliance.[3]

Since its spinoff from Equifax, ChoicePoint has acquired a number of
information collection and processing companies. These include:

National Data Retrieval, Inc., a provider of public records information;

List Source, Inc., d/b/a Kramer Lead Marketing Group, a marketing
company in the life and health insurance and financial services markets;

As you can see, it is difficult to generalize about Choicepoint. The
company has personal information in many fields, and the public does
not fully understand how this information is gathered, used, and sold.
I would like to focus today's discussion on two aspects of Choicepoint's
activities: the company's "AutoTrackXP" product, and the "VitalChek"
subsidiary.

AutoTrackXP

On its website, ChoicePoint markets "AutoTrackXP", which
is described as:

AutoTrackXP and ChoicePoint Online provide Internet access to more
than 17 billion current and historical records on individuals and businesses,
and allow users to browse through those records instantly. With as little
information as a name or Social Security number, both products cross-reference
public and proprietary records including identity verification information,
relatives and associates, corporate information, real property records
and deed transfers. In addition, access is available to a staff of field
researches who perform county, state and federal courthouse searches.[4]

A sample AutoTrackXP report on the ChoicePoint web site shows that
it contains Social Security Numbers; driver license numbers; address
history; phone numbers; property ownership and transfer records; vehicle,
boat, and plane registrations; UCC filings; financial information such
as bankruptcies, liens, and judgments; professional licenses; business
affiliations; "other people who have used the same address of the
subject," "possible licensed drivers at the subject's address,"
and information about the data subject's relatives and neighbors.[5]

The AutoTrackXP report is very similar in content to a standard credit
report issued by one of the "big three" credit reporting agencies.
However, AutoTrackXP is not governed by the Fair Credit Reporting Act.
This means that anyone with a Choicepoint account can buy an AutoTrackXP
report.

AutoTrackXP is Made Available to Law Enforcement With Little Privacy
Process

Federal law enforcement agencies have multi-million dollar contracts
with Choicepoint to have Internet access to AutoTrackXP. This raises
serious due process issues. When law enforcement requests a credit
report, it has to comply with procedures designed to protect individuals.
For instance, full credit report normally cannot be obtained without
a court order, grand jury subpoena, or child support request. But law
enforcement can obtain much of the same information from AutoTrackXP
reports without engaging in any process.

The Privacy Act of 1974 was enacted, in part, because of the specter
of a federal data clearinghouse, one central place where all personal
information could be stored for government access. When the law was
passed in 1974, Congress envisioned that only the government could have
the incentive and precious computing resources to build such a data
clearinghouse. Congress was wrong—the private sector has created the
feared federal data clearinghouse. Our law should not allow an end-run
around the protections of the FCRA and Privacy Act where the private
sector can escrow troves of personal information custom-tailored for
the government.

AutoTrackXP is Available to a Wide Variety of Businesses Based on
Their Status, Not Need

I have attached as Appendix II the standard subscriber agreement that
Choicepoint uses for its services. Notice that page one enumerates
the types of businesses that are eligible for the company's services.
They include attorneys, law offices, investigations, banking, financial,
retail, wholesale, insurance, human resources, security companies, process
servers, news media, bail bonds, and if that isn't enough, Choicepoint
also includes "other."

This illustrates a subtle but important reason why EPIC believes AutoTrackXP
should be subject to Fair Credit Reporting Act regulation. Choicepoint
allows dissemination of sensitive personal information to a broad array
of businesses based on the business' status, not on their need for the
personal information. That is, under the FCRA, a credit report can
be pulled for a number of enumerated purposes. But under Choicepoint's
regime, there is no purpose specification. Access is conditioned on
one's status as an employee of a business, rather than on whether a
specific purpose is articulated for obtaining the information. We think
that it is this distinction that has contributed to personal information
being sold to criminals. If users of Choicepoint were required to articulate
a specific justification for each acquisition of personal information,
auditing would be more effective, and there would be less opportunity
to obtain information for illegitimate reasons.

Choicepoint isn't the only company that makes available sensitive personal
information to those who may have no legitimate need or purpose for
the data. U.S. Senator Charles Schumer noted last week that Westlaw
made available Social Security Numbers to Congressional staff persons
who had accounts on the service. Westlaw addressed the problem by blocking
staff access to the database. It is unclear how many other Westlaw
subscribers have access to the same information.

Commercial Data Brokers' Auditing Raises Serious Questions

The data leaks exposed in recent years have involved tens of thousands,[6]
hundreds of thousands, or even millions[7] of records. How is it that so
many records can be stolen before wrongdoing is detected?

In its subscriber agreement, Choicepoint writes that the company: "will
conduct periodic reviews of Subscriber activity…violations discovered
in any review by [Choicepoint] will be subject to immediate action,
including…referral to federal or state regulatory agencies."

Has the company ever referred subscribers to authorities? Has the
company terminated accounts of subscribers suspected of wrongdoing?
Just how many unauthorized accesses can occur before Choicepoint's self-policing
mechanism catches wrongdoing? 10? 10,000?

Has Choicepoint ever notified individuals, before implementation of
the California Security Breach Notice Law, of unauthorized access to
personal information? The answer may be no. In a recent Securities
and Exchange Commission filing, Choicepoint wrote that in context of
the most recent breach, the company only searched its records back to
July 1, 2003:

"These numbers were determined by conducting searches of our databases
that matched searches conducted by customers who we believe may have
had unauthorized access to our information products on or after July
1, 2003, the effective date of the California notification law…"[8]

If Choicepoint really cares about privacy and security, why did the
company only search back to the effective data of California's security
breach notification law?

The public does not know the answer to any of these questions.

Choicepoint's New Stance Is Insufficient to Protect Privacy

Two weeks ago, Choicepoint announced that the company will no longer
sell "sensitive consumer data" except where "there is
a specific consumer-driven transaction or benefit, or where the products
support federal, state or local government and criminal justice purposes."[9]
We think that this concession does not fully address the risks to privacy
posed by AutoTrackXP. First, Choicepoint is one of many commercial
data brokers; its decision does not bind others. Second, it has articulated
a subjective standard—"specific consumer driven transaction or
benefit"—for sale of personal information. Under this standard,
Choicepoint can decided what a consumer benefit is. In the past, Choicepoint
has declared that selling personal information benefits consumers in
the aggregate, and thus individuals should have no right to opt-out
of Choicepoint's databases.[10] Simply put, Choicepoint's idea
of what benefits consumers differs from what consumers and consumers
advocates think benefits them. Third, Choicepoint can always change
its policy to the detriment of privacy. The last decade has seen a
number of companies change their privacy policies to the detriment of
consumers without any objection by the Federal Trade Commission.

VitalChek

VitalChek performs "expedited delivery of over 25,000 certified
vital record documents on a weekly basis…VitalChek now provides service
in all 50 states as well as British Columbia, Canada." VitalChek
is now owned by Choicepoint.

Serious questions are raised by this relationship. Why should this
company have access to vital records in all fifty states? When one
orders a vital record, does Choicepoint get a copy too? Should vital
records, which contain the same information that credit card companies
use to authenticate new accounts, be so easily alienated on vitalchek.com?

And while Choicepoint emphasizes how responsible the company is with
personal data, on its Vitalchek site, anyone can click on "Ultimate
People Finder," and buy personal information on another for $6.95.

Perverting the Purpose of Public Records

Much of the personal information in AutoTrackXP originates from public
records. In a variety of contexts, the government compels individuals
to reveal their personal information, and then pours it into the public
record for anyone to use for any purpose. The private sector has collected
the information, repackaged it, and brought it back to the government
and businesses full circle.

It is unfair to have this information systematically poured into the
public record and used for any purpose by the private sector.[12]

Public record policy in America was designed to protect people from
government power; to provide a window into the operations of officials
and thus a check on arbitrary or abusive exercise of authority. To a
large extent, access to public records has served this purpose. But
with electronic access and the power of aggregation, these policies
have increasingly shifted to benefit the government and businesses.
We need to realign these policies so that less personal information
appears in the public record, while maintaining access to documents
that allows for investigation and oversight of government.

Correction Rights Are Lacking

Many commercial data brokers do not extend any right of correction
to individuals. They explain that since the information came from public
records, the individual must correct the public record in order to amend
the dossier held by the data broker. This policy does not recognize
the potential for error that is inherent in commercial data brokers'
information collection methods. Commercial data brokers send "stringers"
to copy paper records into their databases. These stringers often copy
the records by hand, and thus can make errors in transcription. There
is no systematic way to test how accurate these transcriptions are.

The IRSG Principles Have Failed

The Individual Reference Services Group (IRSG) was formed in order
to manage fomenting criticism regarding companies that sold personal
information. The IRSG created "principles" for the sale of
personal information, but dissolved shortly after passage of the Gramm-Leach-Bliley
Act in 1999.

The Principles set forth a weak framework of protections, allowing
companies to sell non-public personal information "without restriction"
to "qualified subscribers," which include law enforcement
agencies. So-called "qualified subscribers" need only state
a valid purpose for obtaining the information and agree to limit redissemination
of information. Under IRSG Principles, individuals can only opt-out
of the sale of personal information to the "general public,"
but ChoicePoint does not consider its customers to be members of the
general public.

The IRSG Principles have been carefully crafted in order to ensure
maximum flexibility by CDBs. They have failed to set forth a reasonable
degree of protection for individuals. These self-regulatory initiatives
served their purpose—to stop Congress from creating real, enforceable
rights while allowing privacy-invasive activities to continue.

Accordingly, recommended protections are suggested in the next section
to promote privacy.

Suggestions for Reform

George Washington Law Professor Daniel J. Solove and I formulated a
sixteen point strategy to address commercial databrokers. The full
strategy can be accessed at http://ssrn.com/abstract=681902.
I wish to present several of the approaches today.

Universal Notice

There is no general knowledge about the companies using personal information.
In order to grant consent, gain access, or otherwise exercise one's
rights with regard to personal information maintained by data brokers,
credit reporting agencies, and other institutions, people must know
about what institutions are collecting their data. Accordingly, we
have suggested that any company "primarily engaged in interstate
collection, maintenance, and/or sale of personally identifiable information"
should register with government consumer protection authorities. Such
registration information could be made available online, allowing individuals
to learn of data brokers and their rights with respect to them.

Access to and Accuracy of Personal Information

ChoicePoint and other data brokers collect detailed dossiers of personal
information on practically every American citizen. Most people haven't
even heard of these companies. Even if they do know about these companies,
people have no way of knowing what information is maintained about them,
why it is being kept, to whom it is being disseminated, and how it is
being used. The records maintained by these companies can have inaccuracies.
This wouldn't matter much if the information were never used for anything
important. But the data is being used in ways that directly affect
individuals – by businesses for background checks, creditors for assessing
financial reputations, the government for law enforcement purposes,
and private investigators for investigation. Accordingly, we suggest
that individuals should have the ability to visit a centralized source
to access and correct information from data brokers at no cost.

Secure Identification

Businesses and financial institutions currently grant access to people's
records when the accessor merely supplies a Social Security Number,
date of birth, mother's maiden name, or other forms of personal information
that is either available in public records or sold by data brokers.
This makes the repositories of individuals' personal data and their
accounts woefully insecure, as identity thieves can readily obtain the
information needed to gain access and usurp control.

Accordingly, we suggest that companies develop methods of identification
which (1) are not based on publicly available personal information or
data that can readily be purchased from a data broker; and (2) can be
easily changed if they fall into the wrong hands. Biometric identifiers
present problems because they are impossible to change, and if they
fall into the wrong hands could prove devastating for victims as well
as present ongoing risks to national security.

Social Security Number Use Limitation

Numerous businesses and organizations demand that a person provide
a Social Security Number and then use that number as a password for
access to accounts and data. Many schools and other organizations use
Social Security Numbers on identification cards, thus ensuring that
when a wallet is lost or stolen, one's Social Security Number is exposed.
The use of Social Security Numbers is so extensive that as simple a
transaction as signing up for cell phone service often requires disclosing
one's Social Security Number. Accordingly, we suggest that unless specifically
authorized by statute or regulation, business and other privacy sector
entities shall be barred from using Social Security Numbers for identification
purposes.

Access and Use Restrictions for Public Records

Our current policy for public records was developed in a day where
all information was on paper, dispersed across the country in small
courthouses. Information was poorly indexed; periodically, it was destroyed
by fire, improper storage, or negligence. Access was difficult enough.
Aggregation was impossible. Today, massive database companies sweep
up the data in public record systems and use it to construct dossiers
on individuals for marketers, private investigators, and the government.
This is what ChoicePoint does. These uses of public records turn the
justification for public records on its head. Public records are essential
for effective oversight of government activities, but commercial data
brokers have perverted this principled purpose, and now public records
have become a tool of businesses and the government to watch individuals.

States that allow broad access to public records are supplying troves
of data to law enforcement. For instance, ChoicePoint's AutoTrackXP
services include thirty-six extra databases on Florida residents and
seven extra on Texans. Access to information on Florida residents is
particularly broad. It includes marriage records, beverage licensees,
concealed weapons permits, day care licensees, handicapped parking permits,
"sweepstakes," worker compensation, medical malpractice, and
salt water product licensees.

Accordingly, we suggest that access to personal information in public
records shall be restricted for certain purposes. For example, accessing
public records to obtain data for commercial solicitation should be
prohibited. Other purposes shall be permitted: monitoring the government,
research, educational purposes, tracing property ownership, and other
traditional non-commercial purposes. Furthermore, state and local agencies
that maintain public record systems must make substantial efforts to
limit the disclosure of Social Security Numbers, phone numbers, addresses,
and dates of birth.

Curbing Excessive Uses of Background Checks

Background checks are cheaper now than ever before, leading to a situation
where individuals are being screened for even menial jobs. We risk
altering our society to one where the individual can never escape a
youthful indiscretion or a years-old arrest, even for a minor infraction.
Background checks are frequently being used by employers even for jobs
that do not involve security-related functions, the handling of large
sums of money, or the supervision of children or the elderly. Accordingly,
we suggest that background checks should only be performed in contexts
where fiduciary relationships are involved, where a large amount of
money is handled, where employment involves care taking, or any of the
jobs enumerated by the Employee Privacy Protection Act, 29 U.S.C. §
2007. Whether background checks are performed by employers or by companies
hired to do the screening, the employee or prospective employee shall
receive a copy of the actual investigation.

Limiting Government Access to Business and Financial Records

Increasingly, the government is gathering personal information from
businesses and financial institutions. Companies such as ChoicePoint
have multi-million dollar contracts with government agencies to supply
them with personal information. The Fourth Amendment is often inapplicable
because in a series of cases, including United States v. Miller,
425 US 435 (1976) and Smith v. Maryland, 442 US 735 (1979), the
Court has held that whenever a third party possesses personal information,
there is no reasonable expectation of privacy. In the Information Age,
it is impossible to live without extensive information about one’s life
existing in the hands of various third parties: phone companies, cable
companies, Internet Service Providers, merchants, booksellers, employers,
landlords, and so on. Thus, the government can increasingly obtain
detailed information about a person without ever entering her home.
Accordingly, we recommend that whenever the government attempts to access
personal information from third parties that maintain record systems
of personal information (databases or other records of personally identifiable
information on more than one individual), the government should be required
to obtain a special court order that requires probable cause and particularized
suspicion that the information sought involves evidence of a crime.
Exceptions should exist for reasonable law enforcement needs, including
emergency circumstances.

Finally, I wish to note that the Solove/Hoofnagle approach would preserve
the rights of the states to continue to innovate new protections for
privacy.

Conclusion

Thank you for holding this hearing on information aggregators. We
have long suspected, and recent events now have confirmed, that commercial
data brokers present a serious risk to privacy that needs to be addressed
by robust privacy law. We look forward to continuing to working with
the Committee to provide information on this topic and other privacy
issues.

[7] The records of twenty million people, some of which
contained SSNs, were stolen from commercial data broker Acxiom in
2003. While Acxiom claimed that its security system was extraordinary,
hackers were able to download password files for all accounts on the
system. DOJ, Milford Man Pleads Guilty to Hacking Intrusion and Theft
of Data Cost Company $5.8 Million, Dec. 18, 2003, available at http://www.usdoj.gov/criminal/cybercrime/baasPlea.htm.

[8] Choicepoint form 8-K, Mar. 4, 2005, available at
http://phx.corporate-ir.net/phoenix.zhtml?c=95293&p=irol-SECText&TEXT=aHR0cDovL2NjYm4uMTBrd2l6YXJkLmNvbS94bWwvZmlsaW5nLnhtbD9yZXBvPXRlbmsmaXBhZ2U9MzMxMzE3MiZkb2M9MCZhdHRhY2g9b24=

[10] The privacy statement mailed to individuals who
request their AutoTrackXP report read in part: "We feel that
removing information from these products would render them less useful
for important business purposes, many of which ultimately benefit
consumers. ChoicePoint DOES NOT DISTRIBUTE NON-PUBLIC INFORMATION
(as defined in the Principles) TO THE GENERAL PUBLIC PURSUANT TO SECTION
V(C) OF THE PRINCIPLES. The general public therefore has NO direct
access to or use of NON-PUBLIC INFORMATION (as defined in the Principles)
from ChoicePoint whatsoever. Letter from Gina Moore, ChoicePoint,
to Chris Hoofnagle, Electronic Privacy Information Center (Feb. 21,
2003) (emphasis in original), available at http://epic.org/privacy/choicepoint/cp_nooptout.pdf.